Collecting Windows® event logs

Windows® events are organized into specific log categories; by default computers running on Windows® NT or higher, record errors, warnings and information events in three logs namely Security, Application and System logs.

Computers that have more specialized roles on the network such as Domain Controllers, and DNS Servers have additional event log categories.

As a minimum, Windows® Operating Systems record events in the following logs:

Log Type Description
Security event log This log contains security related events through which you can audit successful or attempted security breaches. Typical events found in the Security Events log include valid and invalid logon attempts.
Application event log This log contains events recorded by software applications/programs such as file errors.
System event log This log contains events logged by operating system components such as failures to load device drivers.
Directory service log This log contains events generated by the Active Directory including successful or failed attempts to make to update the Active Directory database.
File Replication service log This log contains events recorded by the Windows® File Replication service. These including file replication failures and events that occur while domain controllers are being updated with information about Sysvol.
DNS server log This log contains events associated with the process of resolving DNS names to IP addresses.
Application and Services Logs These logs contain events associated with Windows® VISTA and the relative services/functionality it offers.

Computer group properties: Configuring Windows® Event Logs parameters

To configure Windows® Event Log collection and processing parameters:

1. From Configuration tab > Event Sources, right-click an event source or group and select Properties.

Selecting event logs to collect

2. Click Windows Event Log tab > Add... to select the logs you want to collect. Expand Windows Logs and/or Applications and Services Logs and select from the list of available logs.

3. (Optional) Click Add custom log... and key in a unique name for the unlisted event log.

Configuring Windows Event Log Processing parameters

4. Select Clear collected events after completion to clear the collected events from the respective event source.

5. Select ArchiveA collection of events stored in the SQL Server based database backed of GFI EventsManager. events in database to archive collected events without applying events processing rules.

6. Select Process using these rule sets and select the rule sets you want to run against the collected events.

7. Select Add generic fields to add extended fields to the database. Extended fields contain data from event descriptions and are added by a common name (example: "Field01", "Custom field name").

8. Click Apply and OK.


Deleting event logs without archiving may lead to legal compliance penalties.